Analyzing the Effectiveness of Phishing at Network Level Sagar - - PowerPoint PPT Presentation

▶

Nov 19, 2023 139 likes •398 views

Analyzing the Effectiveness of Phishing at Network Level Sagar Mehta, Nitya Sundareswaran, Kevin D. Fairbanks, Nick Feamster Motivation Source - Phishing Activity Trends Report July, 2006 , Anti-Phishing workgroup Our work done from Jan

SLIDE 1

Analyzing the Effectiveness of Phishing at Network Level

Sagar Mehta, Nitya Sundareswaran, Kevin D. Fairbanks, Nick Feamster

SLIDE 2

Motivation

Source - Phishing Activity Trends Report July, 2006 , Anti-Phishing workgroup
Our work done from Jan 07 – Apr 07

SLIDE 3

Related Work

Mostly at application layer

Why phishing works ? – Dhamija et al
The Battle Against Phishing:Dynamic Security Skins - Dhamija et al
Detection of Phishing pages based on visual similarity - Liu et al
Phoney: Mimicking User Response to Detect Phishing Attacks -Chandrasekaran et al
A Framework for Detection and Measurement of Phishing Attacks - Doshi et al
Anti-Spam Techniques

SLIDE 4

Problem Statement

Looking at the effectiveness of Phishing from network

level = Complementary approach to application layer analysis

Correlate Phishing mails to outgoing traffic
Analyze traffic destined to Phishing sites

SLIDE 5

System Architecture

SLIDE 6

Data sources

Spam Trap data
Netflow Records
DNS cache

SLIDE 7

Parsing script

Parsing script to obtain urls from spam
Filter using heuristics to obtain phishing urls
anchor text and actual link disagree
redirection – http 302, meta keyword
presence of certain keywords
presence of ip address in place of domain name
Caveats:
Human intervention for correct interpretation of URL
http://www.example-com, Replace “-”with “.” In the above link
http://www.example .com, Remove space in the above link
Attached .jpg images that provide the URL address – no OCR
Deceptive user names e.g. ‘www.example1.com@example2.com’

SLIDE 8

Querying Script

Querying script to map phishing domains to IP addresses Simulating HTTP client to follow redirects

Status code 300-307 in HTTP response
Meta redirects

Caveat

Avoid corrupting the trace while mapping phishing domains to IP addresses

by directing queries to a foreign name server Extracted ip addresses to further query netflow data from GTRNOC to get netflow tuples using src ip, src port , dest ip, dest port as ‘key’

SLIDE 9

Interaction with known phishing Sites from PhishTank – wide varation in byte distribution even when interacting with sites imitating the same website

SLIDE 10

Similar variation in connection time distribution even when interacting with sites imitating the same website

SLIDE 11

How many unique phishing sites did a source address visit ?

SLIDE 12

How many times a connection was made to a phishing site ?

SLIDE 13

96 hour window around the receipt of Bank of America phishing email in the spam trap

SLIDE 14

Connections made by diff src addresses to Bank of America phishing site – Observations in line with “persistent connection behavior of browsers” by wang et al

SLIDE 15

Bytes Percentage

SLIDE 16

Seconds Percentage

SLIDE 17

Challenges while analyzing phishing at network level

Lack of application layer context
Not everybody sees the same set of spam/phishing emails
Redirection Techniques
Avg lifetime of a phishing site typically very small
Timing differences
Multiple Domain Hosting
Other researchers on the same network

SLIDE 18

Recommendations and Future Work

Combined Data Sources
Application Level Sources
DNS Traces
Multiple Vantage Points - Different Universities with

Spam Traps

Can help address questions about -
Targeted Phishing
Percentage Phishing Mails per Spam Trap

SLIDE 19

Acknowledgements

"The logs and netflow traces used in this work were

made available by the Georgia Tech Research Network Operations Center (www.rnoc.gatech.edu)

SLIDE 20

SLIDE 21

96 hour window around the receipt of phishing email about site hosted on yahoo geocities in the spam trap

SLIDE 22

SLIDE 23

Bytes Percentage

SLIDE 24

Seconds Percentage